263/68 Tuesday, July 22, 2025
On July 18, 2025, CrushFTP disclosed an active zero-day exploitation of a critical vulnerability tracked as CVE-2025-54309, with a CVSS severity score of 9.0. The flaw stems from improper AS2 verification handling in the disabled DMZ Proxy feature, allowing remote attackers to escalate privileges to admin access via HTTPS protocol. The vulnerability affects CrushFTP version 10 before 10.8.5 and version 11 before 11.3.4_23. Although the CrushFTP team had previously addressed related security issues, attackers were able to reverse-engineer the source code and re-exploit the logic in a way that bypassed incomplete fixes.
CrushFTP is widely deployed in government agencies, healthcare sectors, and large enterprises for secure file transfers of sensitive information. If an attacker gains admin privileges, it could lead to data theft, backdoor installation, or lateral movement into connected internal systems—especially in cases where no DMZ segregation is in place. The vulnerability is believed to exist in software builds prior to July 1, 2025, and is currently being exploited by a sophisticated, unidentified threat actor who reverse-engineered the application to target unpatched servers.
CrushFTP advises administrators to inspect user.xml files under the path MainUsers/default/ for unauthorized changes and monitor for new or unusual admin logins. Suspicious usernames or unexpected privilege escalations may indicate a successful breach. Organizations are urged to restore default users from backups, restrict admin-level IP access, operate CrushFTP strictly through a DMZ, and enable automatic updates. Notably, CrushFTP was previously exploited in April 2025 (CVE-2025-31161) to deliver malware, and in 2024 (CVE-2024-4040) during attacks against U.S. agencies. These repeated incidents underscore CrushFTP’s status as a high-value target in advanced threat campaigns and necessitate urgent risk assessment and mitigation.
Source https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html
